In re of: LEROY4 
■ 

Amendment's to the Claims : 

This listing of claims will replace all prior 
versions, and listings, of claims in the application: 

Listing of Claims : 

1. (Currently Amended) A method for controlling 
access to data handled by references in a system for 
executing programs (including processes and tasks), 
characterized — — that wherein upon executing a program, 
it comprises the following steps: 

- having the system store the whole of the references 
which the program obtains by means considered as 
licit; 

- before any operation intended to be forbidden, if it 
deals with values which are not licit references, 
having the system check that these values are among 
the licit references which have been stored for this 
program, and acceptance or rejection of the operation 
accordingly. 
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2. (Currently Amended) The method according to 
claim 1, charQctcrizcd — ift — that wherein the references are 
pointers and/or handles. 

3. (Currently Amended) The method according to 
claim 1, char act or i zed — arfi — that wherein the licit means 
for a program in order to obtain reference values 
comprise at least one of the following operations: 

- reading a variable or a datum belonging to the system 
or to another program, 

- writing into a variable or datum of said program by 
the system or by another program, 

- receiving arguments upon calling a routine of said 
program by the system or by another program, 

- utilization of the return value from the call by said 
program of a routine belonging to the system or to 
another program, 

having said program catch up a raised exception 
during execution of a routine belonging to the system 
or to another program, 

receiving by said program an interruption or a 
valuated signal. 
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4. (Currently Amended) The method according to 
claim 1, charQCtcrizod in that wherein: 

the system comprises a mechanism which 
determines whether a given value is a valid reference, 
and/or 

the stored licit references are limited to the 
sole references on data considered as sensitive for the 
system, and/or 

- said checks check that the values are among the 

sensitive licit references which were stored for this 
program or else which are references determined as valid 
and dealing with data which are not sensitive. 

5. (Currently Amended) The method according to 

claim 4, characterized ±^ that wherein the system 

comprises a firewall which forbids certain operations by 
certain programs on certain referenced data, the data 
considered as being sensitive for the system being those 
for which the operations are not forbidden by the 
firewall . 
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6. (Currently Amended) The method according to 

claim 5, charactGrizcd iR that wherein the firewall 

forbids certain operations by a program on data belonging 
to other programs, except on those declared as shareable. 

7. (Currently Amended) The method according to 
claim 6, charQctorizcd — ifi — that wherein the system is 
based on a Java Card virtual machine and in that wherein: 

- a program consists of the whole of the code 
which is found in a ^Vava Card package"; 

- the firewall is that of the Java Card Runtime 
Environment ( JCRE) ; 

the data declared as shareable (and therefore 
sensitive) are objects which are instances of classes 
which implement the ^^Javacard. framework . Shareable" 
interface as well as, possibly, the objects with public 
use of the system: global arrays and Entry Point Objects 
of JCRE. 

8. (Currently Amended) The method according to 
claim 7, charactorizod — ift — that wherein the system stores 
in the sets of sensitive licit references associated with 
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a package all the references which appear in the 
following cases: 

- receiving arguments of ^Vavacard. framework. Shareable'' 
type when a method of said package is called by 
another package or by the system, 

""'Javacard. framework. Shareable" type return value when 
said package calls a method from another package or 
from the system (including the a 

^'getAppletSharreablelnterf aceObj ect" method of Javac 
ard . framework . JCSystem package" ) , 

reading a public static field of 

^Vavacard . framework . Shareable" type in another 
package or in the system, 

- catching up an instance object of a class from 
(inheriting from) j ava . lang . Throwable" and 
implementing Javacard . framework . Shareable" . 

9. (Currently Amended) The method according to 
efty — e-^ — claimo — 1 — aftd — 4- r claim 1, characterized — ift — that 
wherein the whole of the licit (or — ocnoitivc — licit) 
stored references is represented by a table. 
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10. (Currently Amended) The - method according to 
efty — — claimo — 1 — etf^ — 4- claim 1 ^ characterized — i^ — that 
wherein the set of the licit -fe^e — Qcngitive — licit) stored 
references is emptied, by means of a possibly 
conservative garbage collector, of references which have 
become inactive. 

11. (Currently Amended) The method according to 
any — — claimo — 1 — and — 4- claim 1 , characterized — ifi — that 
wherein : 

- ' the references are represented in the system by 

handles and tables of pointers (or of rofercncco) , 

- some of said tables are possibly reserved for licit 
(or ocnoitivc — licit ) — references , 

the sets of licit -(-a^e oenoitive licit) stored 

references are represented by vectors (or — matricco ) 
of bits associated with some of the tables of 
pointers (or — rcfcrcnceo) , where a bit has a given 
index which represents the presence or the absence of 
the corresponding reference in said sets, 
said vectors of bits are possibly hollow and 
represented by means of a sequence of indexes or 
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lengths corresponding to the extents of bits 
positioned in the same way. 
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